A significant cybersecurity incident has surfaced as ShinyHunters, a notorious hacking group, claimed to have accessed data from around 100 major companies. By exploiting misconfigurations in Salesforce’s Experience Cloud platform, the group raised concerns about potential phishing attacks. Among the affected companies are well-known names like Snowflake, Okta, LastPass, Sony, AMD, and Salesforce itself.
Salesforce confirmed that a “known threat actor group” has been scanning public-facing Experience Cloud sites, which serve as interfaces to CRM data for customers, partners, and employees. The vulnerability arises not from the platform itself but from the overly permissive configurations of customer-defined guest user profiles.
These guest profiles can be configured to allow users to access public pages and submit forms without authentication. If permissions are improperly configured, unauthorized users might query Salesforce CRM objects and extract sensitive information. Salesforce has emphasized that this issue is specific to customer-defined settings and not a core flaw in its system.
The attackers reportedly use a modified version of AuraInspector, a tool originally by Mandiant, to detect misconfigurations in Experience Cloud endpoints. This variant facilitates mass scanning and data extraction if guest user permissions are too extensive.
Salesforce has issued advisories encouraging customers to review their guest user permissions, ensure that default external access is private, disable guest access to public APIs, and remove any API-enabled permissions from guest user profiles to safeguard their data.
ShinyHunters has a notorious reputation, having been linked to numerous breaches since 2019. The group frequently employs tactics that involve threatening to release stolen data unless ransoms are paid. One notable incident in 2024 involved the breach of Snowflake customer databases, and other attacks have targeted consumer platforms and universities via social engineering and misconfiguration exploits.
This incident highlights a widespread issue in enterprise security: misconfigurations are a prevalent attack vector. Platforms like Salesforce offer robust features and security controls, but customer misconfigurations, especially for public-facing elements, can inadvertently expose data.
Experience Cloud sites are designed for flexibility, allowing companies to create portals for non-authenticated users using a guest profile. However, broad permissions can lead to exposure of protected CRM data. Misconfigurations can lead attackers to conduct reconnaissance and exploit weaknesses, leading to extensive data breaches even in large companies with otherwise strong reputations.
Organizations are urged to stay vigilant, audit guest user permissions, and enforce restrictive default settings to prevent unauthorized access. Monitoring system logs for unusual activities and implementing ongoing security reviews are also vital steps for defending against misconfiguration-related exposures.
This situation sheds light on the ongoing challenges in cloud security. As the SaaS landscape evolves, robust platforms like Salesforce can still be compromised due to customer misconfigurations and human error. Businesses must treat cloud security as an ongoing process rather than a one-time task to avoid exposing sensitive data and risking customer trust.
